If attackers can scan for and discover open instance ports, such as port 3389 on a Windows instance and port 22 on a Linux instance, they can initiate attacks on these ports. You can prevent the attacks by modifying the default port or restricting access sources. In this topic, an Elastic Compute Service (ECS) instance that runs Windows Server 2012 R2 is used to describe how to use Windows Firewall with Advanced Security (WFAS) to restrict access from specific IP addresses.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Create Your Alibaba Cloud Account page.

Background information

WFAS is an important part of a layered security model. WFAS provides host-based two-way network traffic filtering to block unauthorized network traffic flowing into or out of the local computer. WFAS also works with Network Awareness to apply corresponding security settings to the types of networks to which the computer is connected. WFAS integrates Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings into a single Microsoft Management Console (MMC). In this way, WFAS becomes an important part of network isolation strategy.

Note The procedure described in this topic is not applicable to ECS instances that run Windows Server 2016. For ECS instances that run Windows Server 2016, we recommend that you restrict access sources by adding security group rules. For more information, see the "Security group rules for restricting access from instances to external websites" section in Security groups for different use cases. For information about how to add security group rules, see Add security group rules.

Use MMC to configure WFAS

  1. Enable the firewall.
    1. Press the shortcut keys Win+R to open the Run dialog box.
    2. Enter firewall.cpl and press the Enter key.
    3. Click Turn Windows Firewall on or off to view the firewall status.
      By default, the firewall is disabled.
  2. Check Remote Desktop Protocol (RDP) port 3389.
    1. Press the shortcut keys Win+R to open the Run dialog box.
    2. Enter wf.msc and press the Enter key.
    3. Click Inbound Rules. In the Open RDP Port 3389 section, the default port that allows traffic is 3389.
  3. Add RDP port 3389 to Windows Firewall with Advanced Security.
    1. In the Actions section, click New Rule.... The New Inbound Rule Wizard dialog box appears.
    2. In the Rule Type step, select Port and click Next.
    3. In the Protocol and Ports step, select TCP as the protocol, select Specific local ports and enter 3389 in the field, and then click Next.
    4. Select Allow the connection and click Next.
    5. Use the default settings and click Next.
    6. Enter a rule name. In this example, RemoteDesktop is used. Click Finish.
  4. Configure the scope.
    1. Right-click the created RemoteDesktop inbound rule and click Properties in the Actions section.
    2. On the Scope tab, select These IP addresses: in the Remote IP address section, add one or more IP addresses or CIDR blocks, and then click OK.
      Notice After the parameters on the Scope tab are configured, only IP addresses that you have specified in the Remote IP address section can access to the Windows instance.
  5. Validate the scope. Add an IP address to the Remote IP address section. In this example, 1.1.1.1 is added. Then, click OK.
    The connection is automatically interrupted, which indicates that the parameters on the Scope tab are in effect.
    If the connection is not affected, right-click Open RDP Port 3389 and click Disable Rule in the Actions section.
  6. Log on to the ECS Console and change the IP address in the Remote IP address section on the Scope tab to the public IP address of the computer to restore the connection.
    1. Log on to the ECS console.
    2. On the Instances page, find the instance that you want to connect and click Connect in the Actions column.
    3. In the Instance Login dialog box, enter the password and click OK.
    4. Change the IP address in the Remote IP address section on the Scope tab of the RemoteDesktop inbound rule. In this example, the IP address 1.1.1.1 is changed to the IP address that you want to authorize.

Use CLI to configure WFAS

You can also run the netsh command in CLI to configure WFAS. The following section provides examples of the netsh command:
  • Export the firewall configuration file.
    netsh advfirewall export c:\adv.pol
  • Import the firewall configuration file.
    netsh advfirewall import c:\adv.pol
  • Restore the default settings of the firewall.
    netsh advfirewall reset
  • Disable the firewall.
    netsh advfirewall set allprofiles state off
  • Enable the firewall.
    netsh advfirewall set allprofiles state on
  • Set the default firewall policy that applies to all configuration files to block inbound traffic and allow outbound traffic.
    netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
  • Delete the ftp rule.
    netsh advfirewall firewall delete rule name=ftp
  • Delete all inbound rules for the local port 80.
    netsh advfirewall firewall delete rule name=all protocol=tcp localport=80
  • Add an inbound rule for the remote desktop to allow traffic from port 3389.
    netsh advfirewall firewall add rule name=remote desktop (TCP-In-3389) protocol=TCP dir=in localport=3389 action=allow